def login_facebook(): """Attempt to login a user with FB credentials encoded in the POST body. Expects the following form data: fb_access_token: Facebook user access token. This is used to verify that the user did authenticate with Facebook and is authenticated to our app. The user's FB ID is also obtained from this token. Responds with the session cookie via the `set-cookie` header on success. Send the associated cookie for all subsequent API requests that accept user authentication. Also returns the CSRF token, which must be sent as the value of the "X-CSRF-Token" header for all non-GET requests. """ # Prevent a CSRF attack from replacing a logged-in user's account with the # attacker's. current_user = view_helpers.get_current_user() if current_user: return api_util.jsonify({'message': 'A user is already logged in.'}) rmclogger.log_event( rmclogger.LOG_CATEGORY_API, rmclogger.LOG_EVENT_SIGNUP, { 'type': rmclogger.LOGIN_TYPE_STRING_FACEBOOK, }, ) req = flask.request fb_access_token = req.form.get('fb_access_token') # We perform a check to confirm the fb_access_token is indeed the person # identified by fbid, and that it was our app that generated the token. token_info = facebook.get_access_token_info(fb_access_token) if not token_info['is_valid'] or not token_info.get('user_id'): raise api_util.ApiForbiddenError( 'The given FB credentials are invalid.') fbid = str(token_info['user_id']) user = m.User.objects(fbid=fbid).first() if not user: raise api_util.ApiForbiddenError('No user with fbid %s exists. ' 'Create an account at uwflow.com.' % fbid) view_helpers.login_as_user(user) # TODO(sandy): We don't need to do this anymore, just use the endpoint csrf_token = view_helpers.generate_csrf_token() return api_util.jsonify({ 'message': 'Logged in user %s' % user.name, 'csrf_token': csrf_token, })
def csrf_token(): """Return the CSRF token for the current seesion. Responds with the session cookie via the `set-cookie` header on success. You should send the associated cookie for (at least) all subsequent non-GET requests. Returns the CSRF token, which must be sent as the value of the "X-CSRF-Token" header for all non-GET requests. """ return api_util.jsonify({'token': view_helpers.generate_csrf_token()})
def csrf_token(): """Return the CSRF token for the current seesion. Responds with the session cookie via the `set-cookie` header on success. You should send the associated cookie for (at least) all subsequent non-GET requests. Returns the CSRF token, which must be sent as the value of the "X-CSRF-Token" header for all non-GET requests. """ return api_util.jsonify({ 'token': view_helpers.generate_csrf_token() })